What is Java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to list the contents a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management. The keytool list command will list the contents of your keystore.
Why use the Java keytool to list keystore certificates, keys, and entries?
You may want to list the certificates, keys, and keystore entries to audit the entries and ensure they are still valid for your application needs. You should ensure each entry is still necessary and ensure that the key entries are being rotated. You may also output the PEM encoded cert for inspection.
What keytool command do I use to list the contents of a keystore?
Use this command to list the contents of a keystore using the java keytool. The result will be a detailed listing of the keystore. Note that this example uses the -alias option. If -alias is not used then all contents and aliases of the keystore will be listed. This example also uses the optional -rfc switch to also display the PEM encoded certificate.
keytool -list \
> -rfc \
> -alias example \
> -keystore example.p12 \
> -storepass changeit \
> -storetype PKCS12
Again, the above java keytool list command will list the certificates (certs and cacerts) with the key entry by including the rfc flag.
A more shorthand version of the same command, not using the alias option, to show the entire contents of the keystore.
keytool -list -keystore example.p12
The output will look similar to the following:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
example, Jan 13, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 9D:E7:F2:58:96:91:13:84:7F:AD:D7:EC:B7:8E:AD:29:47:80:FE:FB:4B:1E:7A:8D:FE:DE:63:E0:B0:5B:DB:8D
Where example, Jan 13, 2021, PrivateKeyEntry is the entry by alias, date, and entry type.
You may also include the -v flag to provide a verbose output of the keystore:
keytool -list -v -keystore example.p12
Which will display console output similar to the following:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: example
Creation date: Jan 13, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=example.com, OU=exampleou, DC=example, DC=com
Issuer: CN=example.com, OU=exampleou, DC=example, DC=com
Serial number: 52f5b97b
Valid from: Thu Dec 19 00:00:00 EST 2019 until: Fri Dec 18 00:00:00 EST 2020
Certificate fingerprints:
SHA1: B2:0B:1B:3B:70:C5:F6:58:0F:19:6A:6F:45:11:55:C4:4F:CE:EE:F5
SHA256: 9D:E7:F2:58:96:91:13:84:7F:AD:D7:EC:B7:8E:AD:29:47:80:FE:FB:4B:1E:7A:8D:FE:DE:63:E0:B0:5B:DB:8D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C8 33 78 6A 09 D2 39 6A 79 57 EE 79 0C F1 40 05 .3xj..9jyW.y..@.
0010: B6 92 90 70 ...p
]
]
Java keytool options:
-rfc
– Output the certificate specified by its alias in PEM format.
-alias
– The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-keystore
– The filename of the keystore.
-storepass
– The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype
– Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

Here are the official keytool docs to dive further into how to list certificate contents of the keystore. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__DISPLAYDATA-507D2B01
Leave a Reply